Computing resources face an ever-present threat of becoming “infected” with malicious content. For instance, a user's computer may become infected when a user expressly downloads malicious content, e.g., by opening an Email attachment or clicking on a link on a network site. A user's computer may also acquire malicious content in a more passive manner. For example, a malicious network site can pass on malicious content in a “drive-by” fashion when the user simply visits the site without necessarily clicking on any links in that site. Many other techniques exist for propagating malicious content in a network environment. Further, even without harm caused to computing resources, there exists a risk that a malicious entity may acquire personal information regarding a user.
In a known approach, an analysis tool can investigate the safety of a particular site by accessing that site in a virtual machine (VM) mode of interaction. The site may link to one or more other sites. If so, the analysis tool can “follow” the links and access those other sites too. The analysis tool may identify the particular site as potentially harmful if that site (or its linked resources) causes an undesirable change in the state of the virtual machine. In one case, the change in the state of the virtual machine is caused by downloading a malicious file.
While useful, the above approach is not without its shortcomings. The threats within a network environment are very diverse and are in constant change. The above-described process (of accessing sites and following links) may require a significant amount of time to perform. It may therefore be difficult for such a process to keep abreast of evolving threats in a network environment.